Tornado Cash receives funds tied to Aperture Finance exploit

Funds linked to the January exploit of Aperture Finance have been caught moving on-chain. The hacker allegedly moved the looted funds through the Ethereum-based mixer Tornado Cash. Addresses flagged linked to the attacker deposited about 1,243 Ether (approx. worth roughly $2.4 million) into the mixer.

Aperture Finance, on January 25, disclosed that it had suffered an exploit affecting its V3 and V4 contracts. The losses are estimated at around $3.67 million. However, this move comes in when the crypto market is dealing with high selling pressure and bearish sentiments. Ethereum price has dropped by around 28% over the past 7 days.

Crypto hack losses jump 13% month-on-month

The hacking incident occurred during a month marked by several other crypto-related losses. PeckShield in a post reported that around 16 hacking incidents happened in January, which resulted in losses of $86.01 million. The amount is slightly lower than compared to Jan 2025 (approx. amount $87.25 million), but a notable 13.25% MoM surge from Dec 2025 (approx. $76 million).

Phishing-related losses during the same period exceeded $300 million. Among the largest incidents reported in January were attacks on Step Finance, Truebit Protocol and SwapNet. Step Finance lost around $29 million. There has been a breach of security for some of its treasury wallets. Truebit protocol lost approximately 8,535 ETH, valued at around $26.4 million, in the theft.

PeckShield has mentioned that the Aperture Finance exploit was unrelated to the SwapNet incident, despite it happening around the same time.

Security firm BlockSec reported that Aperture Finance contracts exposed an arbitrary-call capability. This unfolded because of insufficient input validation. That weakness allowed attackers to exploit existing token approvals and drain assets using transferFrom calls.

The vulnerability reportedly emerged from a helper module that executed low-level calls using user-supplied calldata. It was triggered without enforcing restrictions on call targets or function selectors. Attackers were able to craft malicious calldata to siphon ERC-20 tokens and approve transfers of Uniswap V3 position NFTs.

Users who had enabled Aperture Finance’s “Instant Liquidity Management” features were affected. In one Ethereum-based transaction analyzed by security firms, an attacker deployed a contract that triggered the vulnerable function with a minimal amount of ether. It was wrapped into WETH and executed a transferFrom call on WBTC. This allowed funds to be drained while passing internal balance checks.

Aperture launched forensic probe

Aperture Finance said the exploit had been contained and that affected web application functions were disabled. The company said it was conducting a forensic investigation with external security firms. It is also coordinating with law enforcement to trace the stolen funds. It added that its automation strategies were not impacted because they operate on a separate system. However, they advised users who had used instant liquidity features to revoke relevant approvals.

Ether is suffering from the high sell-off as Bitcoin price dipped below $70,000 before recovering. ETH price is down by almost 7% in the last 24 hours. It has nosedived by 29% since the beginning of this year. Ether is trading at an average price of $2,087 at the press time.